** Description changed: - Hostname verification is an important step when verifying X509 - certificates, however, people tend to miss the step when using SSL/TLS, - which might cause severe man in the middle attack and break the entire - TLS mechanism. - - We believe that httping didn't check whether the hostname matches the - name in the ssl certificate and the expired date of the certificate. + When using OpenSSL, one needs to follow a certain process to ensure the + verification of the certificate is successful. But we believe that + httping didn't follow the correct process of verifying X509 certificate + which makes certain attacks possible. We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation. The result format is like this: notice: Line Number@Method Name, Source File We provide this result to help developers to locate the problem faster. This is the result for httping: [PDG]connect_ssl [Found]SSL_connect() [HASH] 1691133869 [LineNo]@ 143[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/httping/httping-1.4.4/mssl.c [INFO] API SSL_new() Found! --> [HASH] 3841316347 [LineNo]@ 140[Kind]call-site[Char] SSL_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/httping/httping-1.4.4/mssl.c [Warning] SSL_CTX_new() not found! Verification process for vulnerability: + Expired Time 1. Change the system time to year 2200 2. command: httping -g i.mi.com -l 3. use wireshark to monitor the network traffic and we can find that the ssl connection is successfully established. + Hostname 1. Modify hosts, use a different hostname. e.g. IP_FOR_i.mi.com fake.i.mi.com 2. httping -g fake.i.mi.com -l 3. use wireshark to monitor the network traffic and we can find that the ssl connection is successfully established. - for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1380232 Title: Vulnerability for X509 Certificate Verification To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/httping/+bug/1380232/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
